COMMAND
MandrakeUpdate
SYSTEMS AFFECTED
Linux-Mandrake 6.0, 6.1, 7.0, 7.1
PROBLEM
Following is based on Linux-Mandrake Security Advisory. There is
a possible race condition in MandrakeUpdate that has the potential
for users to tamper with RPMs downloaded by MandrakeUpdate prior
to them being installed. This is due to files being stored in the
/tmp directory. This is a very low security-risk as most servers
that provide user logins shouldn't be using MandrakeUpdate. These
updated versions provide a fix for the problem by using /root/tmp
instead of /tmp.
SOLUTION
Patch:
Linux-Mandrake 6.0: 6.0/RPMS/MandrakeUpdate-6.0-6mdk.i586.rpm
6.0/RPMS/grpmi-0.9-6mdk.i586.rpm
6.0/SRPMS/MandrakeUpdate-6.0-6mdk.src.rpm
Linux-Mandrake 6.1: 6.1/RPMS/MandrakeUpdate-6.1-4mdk.i586.rpm
6.1/RPMS/grpmi-0.9-4mdk.i586.rpm
6.1/SRPMS/MandrakeUpdate-6.1-4mdk.src.rpm
Linux-Mandrake 7.0: 7.0/RPMS/grpmi-0.9-13mdk.i586.rpm
7.0/SRPMS/MandrakeUpdate-7.0-13mdk.src.rpm
Linux-Mandrake 7.1: 7.1/RPMS/MandrakeUpdate-7.1-9mdk.i586.rpm
7.1/RPMS/grpmi-7.1-9mdk.i586.rpm
7.1/SRPMS/MandrakeUpdate-7.1-9mdk.src.rpm